Tuesday, 28 May 2013

One could argue that security is hard. Not all aspects of it, mind you, but the prevalence of website hacks would seem to indicate that plenty of people are struggling to get it right.

On the other hand, insecurity can be very easy. What I mean by this is that sometimes it can be the smallest change to a website that blows the security wide open.

Last week someone passed me a private note about Black and Decker, or more to the point, they passed me a link to an unsecured ELMAH log. For the uninitiated, ELMAH logs and their discovery via Google is something I’ve written about before. In fact in this very case it was someone simply searching for some info on ELMAH that lead to this discovery – it’s that easy.

Now I want to stress that this is not intended to be all about Black and Decker and before posting this I did privately contact them and they have now correctly secured the logs. In fact there are tens of thousands of Google results for publicly exposed ELMAH logs so clearly this is a very prevalent risk. Let me first share the video on what you can do with exposed ELMAH logs then I’ll come back around to the point of this post:

That should put things into context regarding the risk of exposed ELMAH logs and it goes well beyond just session hijacking. For example the risk includes access to:

Customer email addresses as they’re stored in the cookie

IP address of users (including of individual customers per the previous point)

Passwords (these are also sometimes stored in cookies)

Referrers (discloses entry points into the site)

Any other data on the site that is accessible if the session can be hijacked

Keep in mind that there are tens of thousands of log entries in this particular site so there’s quite a profile an attacker could have built up.

Here’s the point I want to make: a frankly massive security hole like exposed ELMAH logs can occur as a result of the smallest configuration change and it begs the following questions:

Is there any continuous security scanning of the site? This was a very basic error and in fact my own very basic ASafaWeb scanner could have caught this on a daily scheduled scan and reported it within 24 hours of the risk occurring. Other commercial products could have identified a far broader range of risks but the point is that security scanning needs to be continuous, not just a one off, not on an annual basis, not just on major changes but all the time.

Who can release changes? You’ve gotta wonder if a case like this was just a junior dev not realising what they were doing. Mind you, I’ve seen plenty of experienced devs make similar mistakes but it begs the question: just how easy is it to slip something through into a production? Is anyone actually overseeing the process? Or does one person have a few beers on a Friday afternoon and push the “publish” button?

What’s the post-release review process? It’s extremely easy for configuration related vulnerabilities to slip through during the release process. For example a developer just wants to quickly check the details of an obscure error in a production environment so they release with verbose errors (i.e. turn off custom errors in ASP.NET) and promise themselves they’ll lock it down later. The release process should ideally catch this and set off all sorts of alarms.

Are you contactable for when things go wrong? I hadn’t planned on including this section originally but given the way things played out (more on that another time), it does illustrate an important point. It was extremely difficult to get in touch with anyone from Black and Decker using social media and published email addresses and I eventually got through to them in a very round-a-bout fashion. It’s very hard for people to do the right thing and disclose privately when they can’t get in touch with you!

Black and Decker presented a good opportunity to illustrate the risk because of their sheer scale. This is a multinational organisation pulling in $6B a year and employing 27,000 people and something so simple slipped past them, is it any wonder that so many companies with such fewer resources struggle? And I’ll stress again – there is (unfortunately) nothing very unique about them having a risk of this nature – it’s alarmingly common as it’s so simple to do. Insecurity is indeed, easy.

Copyright 2014, Troy Hunt

Disclaimer

Opinions expressed here are my own and may not reflect those of my employer, my colleagues, my mates, my wife, the dog and so on and so forth. Unless I'm quoting someone, they're my own opinions and may not necessarily be cohesive nor entertaining but hey, at least they're original.

Designed by me

All original because I'm fussy and you just never quite get exactly what you want from a Blogger template. Besides, the left side of my brain rarely gets out these days and it needed the exercise.